IBM Support

QRadar: Updating the WinCollect authentication token

Question & Answer


How do I update the authentication token for WinCollect without uninstalling the agent?


To verify your authentication token, log in to the QRadar Console as an administrator. Click Authorized Services and locate your WinCollect token. A WinCollect authorized service token is provided by default with the minimum permissions required to communicate to remote WinCollect agents. This token should not be expired or deleted.

  1. From the QRadar Console, click Admin > Authorized Services.
  2. Select the WinCollect token and copy the value.
  3. Open a remote desktop (RDP) session the Windows host with the WinCollect agent.
  4. From the Windows Start menu, click Start > All Programs > Administration Tools > Services.
  5. Select the WinCollect service.
  6. Click Stop.
  7. From the Windows Start menu, select All Programs > Accessories.
    Note: Optionally, press the Windows logo key  +R, type cmd and press Ctrl+Shift+Enter to start administrator mode. 
  8. Right-click on the Command Prompt.
  9. Select Run as administrator.
  10. Navigate to the bin directory for the WinCollect agent. The default path is C:\Program Files\IBM\WinCollect\bin.
  11. To change the authentication token for your WinCollect agent, type:
    InstallHelper.exe -T authentication_token_value
    For example:
    InstallHelper.exe -T xxxxx-xxxx-xxxx-xxxx-xxxxx
  12. From the Windows Start menu, click Start > All Programs > Administration Tools > Services
  13. Select WinCollect.
  14. Click Start.

The InstallHelper utility creates an obfuscated token in the C:\Program Files\IBM\WinCollect\config\install_config.txt file for the WinCollect agent. After the WinCollect service starts, the communication can begin if TCP/8413 is open to the QRadar appliance. Administrators who continue to experience issues can move the ConfigurationServer.PEM file to confirm if communication is successful. When you move the ConfigurationServer.PEM file from the C:\Program Files\IBM\WinCollect\config\ directory, the QRadar appliance issues a new PEM file. If you refresh the directory and the ConfigurationServer.PEM file is regenerated, this confirms that the agent and the QRadar appliance can communicate on TCP/8413.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
04 December 2020